Patch Opcache-password.patch for opcache Bug #66462
Patch version 2014-01-10 23:38 UTC
Return to Bug #66462 |
Download this patch
Patch Revisions:
Developer: Terry@ellisons.org.uk
--- a/zend_accelerator_module.c
+++ b/zend_accelerator_module.c
@@ -35,6 +35,7 @@
#endif
#include "ext/standard/info.h"
#include "ext/standard/php_filestat.h"
+#include "ext/standard/md5.h"
#define STRING_NOT_NULL(s) (NULL == (s)?"":s)
#define MIN_ACCEL_FILES 200
@@ -48,6 +49,10 @@ static void (*orig_is_readable)(INTERNAL_FUNCTION_PARAMETERS) = NULL;
ZEND_BEGIN_ARG_INFO(arginfo_opcache_none, 0)
ZEND_END_ARG_INFO()
+ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_enable_api, 0, 0, 1)
+ ZEND_ARG_INFO(0, password)
+ZEND_END_ARG_INFO()
+
ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_get_status, 0, 0, 0)
ZEND_ARG_INFO(0, fetch_scripts)
ZEND_END_ARG_INFO()
@@ -62,6 +67,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_opcache_invalidate, 0, 0, 1)
ZEND_END_ARG_INFO()
/* User functions */
+static ZEND_FUNCTION(opcache_enable_api);
static ZEND_FUNCTION(opcache_reset);
static ZEND_FUNCTION(opcache_invalidate);
@@ -72,6 +78,7 @@ static ZEND_FUNCTION(opcache_get_configuration);
static zend_function_entry accel_functions[] = {
/* User functions */
+ ZEND_FE(opcache_enable_api, arginfo_opcache_compile_file)
ZEND_FE(opcache_reset, arginfo_opcache_none)
ZEND_FE(opcache_invalidate, arginfo_opcache_invalidate)
ZEND_FE(opcache_compile_file, arginfo_opcache_compile_file)
@@ -83,6 +90,11 @@ static zend_function_entry accel_functions[] = {
static int validate_api_restriction(TSRMLS_D)
{
+ if (!ZCG(accel_directives).api_enabled) {
+ zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted by \"api_password\" configuration directive");
+ return 0;
+ }
+
if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
int len = strlen(ZCG(accel_directives).restrict_api);
@@ -278,6 +328,7 @@ ZEND_INI_BEGIN()
STD_PHP_INI_BOOLEAN("opcache.enable_cli" , "0" , PHP_INI_SYSTEM, OnUpdateBool, accel_directives.enable_cli, zend_accel_globals, accel_globals)
STD_PHP_INI_ENTRY("opcache.error_log" , "" , PHP_INI_SYSTEM, OnUpdateString, accel_directives.error_log, zend_accel_globals, accel_globals)
STD_PHP_INI_ENTRY("opcache.restrict_api" , "" , PHP_INI_SYSTEM, OnUpdateString, accel_directives.restrict_api, zend_accel_globals, accel_globals)
+ STD_PHP_INI_ENTRY("opcache.api_password" , "" , PHP_INI_SYSTEM, OnUpdateString, accel_directives.api_password, zend_accel_globals, accel_globals)
#ifdef ZEND_WIN32
STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM, OnUpdateString, accel_directives.mmap_base, zend_accel_globals, accel_globals)
@@ -675,6 +686,47 @@ static ZEND_FUNCTION(opcache_get_configuration)
add_assoc_zval(return_value, "blacklist", blacklist);
}
+/* {{{ proto bool opcache_enable_api(string password)
+ Enable use of opcache API if opcache.enable_api is defined */
+static ZEND_FUNCTION(opcache_enable_api)
+{
+ char *password;
+ int password_len;
+ char md5str[33];
+ PHP_MD5_CTX context;
+ unsigned char digest[16];
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &password, &password_len) == FAILURE) {
+ return;
+ }
+
+ if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
+ RETURN_FALSE;
+ }
+
+ /* Copy of PHP_NAMED_FUNCTION(php_if_md5) using public API in ext/standard/md5.h */
+ if (!ZCG(accel_directives).api_enabled && strlen(ZCG(accel_directives).api_password) == 32) {
+ md5str[0] = '\0';
+ PHP_MD5Init(&context);
+ PHP_MD5Update(&context, password, password_len);
+ PHP_MD5Final(digest, &context);
+ make_digest(md5str, digest);
+ if (memcmp(md5str, ZCG(accel_directives).api_password, 32)) {
+ zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " Invalid API enable password");
+ RETURN_FALSE;
+ } else {
+ ZCG(accel_directives).api_enabled = 1;
+ }
+ }
+
+ if (!validate_api_restriction(TSRMLS_C)) {
+ RETURN_FALSE;
+ }
+ RETURN_TRUE;
+
+}
+
+/* }}} */
/* {{{ proto void accelerator_reset()
Request that the contents of the opcode cache to be reset */
static ZEND_FUNCTION(opcache_reset)
--- a/ZendAccelerator.c
+++ b/ZendAccelerator.c
@@ -2167,6 +2167,9 @@ static void accel_activate(void)
}
}
+ /* The API is enabled by default if opcache.api_password == "" */
+ ZCG(accel_directives).api_enabled = (!ZCG(accel_directives).api_password || !*ZCG(accel_directives).api_password);
+
ZCG(cwd) = NULL;
SHM_PROTECT();
--- a/README
+++ b/README
@@ -213,6 +213,12 @@ opcache.restrict_api (default "")
Allows calling OPcache API functions only from PHP scripts which path is
started from specified string. The default "" means no restriction.
+opcache.api_password (default "")
+ calling OPcache API functions only from PHP scripts which first
+ the API by calling opcache_enable_api("password"). This parameter
+ is set to the MD5 of the required password. Note that if the
+ opcache.restrict_api is also set then both tests are applied.
+
opcache.mmap_base
Mapping base of shared memory segments (for Windows only). All the PHP
processes have to map shared memory into the same address space. This
|
Copyright © 2001-2024 The PHP Group